Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 
Community Member


Hi experts,

I'm looking into a network access control solution, and I have the following questions:

1- My understanding is that ACS assigns unauthorized assets to a guest vlan/zone, but what happens next if access to resources (such as internet) requires authentication? In other words, does an ACS-only solution imply manual guest access provisioning, as opposed to automatic provisioning with an overlay NAC Guest server?

2- Captive portal vs. Webauth: My understanding is that ACS alone does not provide a captive portal for guests. It only provides a webauth feature that is mainly a fallback authentication mechanism for employees/managed assets, not guests/unmanaged assets. Is this correct?

3- Finally, the Trustsec v2.00 document ( mentions “Cisco TrustSec 2.0 adds support for Wireless user access. With Cisco TrustSec 2.0, Cisco ISE provides the same authentication methods regardless of user access methods, which could be from wired line or Wi-Fi connection”. Does this mean that ACS has limitations to support wireless connections?

Thank you,


Everyone's tags (3)
Cisco Employee


1. Wrong understanding. ACS does what you tell it to do. It can assign a guest vlan to unknown assets or assign whatever else you like.

What do you mean with an internet access requiring authentication ? If you think about a guest portal, i.e. a web page asking to enter credentials, then ACS doesn't do that, so you have to couple ACS with a Guest Server. That's a bit of a pity because the Guest Server is not a product that will evolve. ISE just do everything in 1.

2. ACS is not a captive portal correct. When you say "it provides a webauth feature that is fallback", it's wrong. ACS doesn't provide anything like that. The switches implement web authentication (or the wireless controllers) and ACS can authenticate the people using that, but ACS is just a radius server saying "yes/no" and giving privileges.

3.ACS has no limitations to support wireless in particular. What the paper says is that ISE provides a captive portal that will be the same for wired or wireless users.

Remember that with ACS, you need to use the captive portal of the switch and WLC or a nac guest server. So not unified.

CreatePlease to create content